Win32/Sirefef is a multi-component family of malware that uses stealth to hide its presence on your computer. Due to the nature of this threat, the payload may vary greatly from one infection to another, although common behavior includes:
- Downloading and executing of arbitrary files
- Contacting remote hosts
- Disabling of security features
Installation
The dropper component of Win32/Sirefef has been observed being distributed by exploits and programs that promote software-piracy, such as 'keygens' and 'cracks' (programs designed to bypass software licensing).
Variants of Win32/Sirefef may also be dropped or installed by other malware, including variants of the Trojan:Win32/Necurs family.
In the wild, newer Sirefef variants have been observed dropping the following two files to a chosen directory, for example, C:\recycler\s<removed>\<removed>:
- "@" - this file contains information that Sirefef can use to find other infected computers
- "n" - this file contains the malicious code for peer-to-peer (P2P) communication
These newer variants then make the following changes to the registry to ensure that Sirefef runs each time you start your computer:
In subkey: HKLM\Software\Classes\clsid\{5839fca9-774d-42a1-acda-d6a79037f57f}\InprocServer32
Modifies value: "(Default)"
From data: "<system folder>\wbem\wbemess.dll"
With data: "<path to n>" (for example, "c:\recycler\s<removed>\<removed>\n")
When executed, older variants of Sirefef attempt to replace a randomly-selected system driver with its own malicious copy. The replaced driver could be any of the following:
-
afd.sys
-
i8042prt.sys
-
ipsec.sys
-
mrxsmb.sys
-
netbt.sys
-
raspppoe.sys
-
serial.sys
Note that this list is not comprehensive.
The replaced driver will load each time you start your computer. The replaced driver may be detected as a variant of Virus:Win32/Sirefef or as TrojanDropper:Win32/Sirefef.B.
Payload
Downloads and executes arbitrary files
Sirefef utilizes a peer-to-peer (P2P) protocol to download or update additional malware components from remote peers. The downloaded components are saved to the U\ directory in a hidden folder that it creates for this purpose. The downloaded components may:
- Moderate your Internet experience by modifying search results
- Generate pay-per-click advertising revenue for its controllers
- Run Bitcoin (digital currency) mining on the affected computer
Stops and deletes security-related services
Sirefef attempts to stop and delete the following security-related services:
-
Windows Defender Service (windefend)
-
IP Helper Service (iphlpsvc)
-
Windows Security Center Service (wscsvc)
-
Windows Firewall Service (mpssvc)
-
Base Filtering Engine Service (bfe)
Contacts remote hosts
Sirefef contacts a remote host to send information about your computer. This information may then be used to create a network of infected computers that the attacker may utilize for practically any purpose.
Turns off Windows Firewall
Sirefef attempts to turn off Windows Firewall to make sure its own traffic won’t be blocked.
Additional information
Sirefef implements a disk-level hook to hide its own presence on your computer. If an attempt is made to read the replaced driver, Sirefef returns the original, clean driver. Any modifications that are made to this driver will have no impact on the computer, as the replacement, malicious driver will always run instead.
Sirefef includes a self-defense mechanism to protect against security related software; the malware attempts to stop and delete any process that attempts to access Sirefef.
Infects files / Uses stealth
Some Sirefef variants have been observed infecting "services.exe" with shellcode to load malicious data from Extended Attributes (EA). It uses Extended Attributes to store additional components which it later loads, as part of its effort to use stealth to hide itself on your computer.
Intercepts and hijacks network traffic
Some variants of Sirefef may drop a Windows Socket Service Provider file which it uses to intercept and/or hijack network activity, so it can redirect your browser.
In the wild, we have observed this file being dropped as:
-
%windir%\assembly\GAC\desktop.ini or
-
%windir%\assembly\GAC_32\desktop.ini
Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, 7, and 8 it is "C:\Windows".
Creates a folder in which to store other malware
Sirefef creates a special folder configured as a reparse point (a collection of user-defined data) in which to store additional malware components, as well as the original clean copy of the replaced driver.
The created folder uses the following format:
<system root>\$NtUninstallKB<number>$
where <number> is a randomly generated number.
Note: The files stored under this folder are encrypted, and are not generally accessible.
Further reading
Analysis by Chun Feng
